IBM Targets Access Control With Security

The ever-growing size and complexity of enterprise networks has greatly complicated the administrator's task of keeping intruders out while allowing authorized users in. But new access management products from IBM and Camelot IT aim to ease that burden.

The ever-growing size and complexity of enterprise networks has greatly complicated the administrators task of keeping intruders out while allowing authorized users in. But new access management products from IBM and Camelot IT Ltd. aim to ease that burden.
IBMs Tivoli Systems Inc. unit is using the release of its Identity Director product this week as the launching pad for a push into security. Along with the new Intrusion Manager and updated Policy Director software, Identity Director is a major part of the companys move into the authentication and authorization arena.

The company is also planning a privacy-related announcement later this fall and is working on integrating its public-key infrastructure technology into its other products.

As convenient as such software is, customers said it often takes some time for users and management to see the benefits of an overarching security product such as Identity Director or Policy Director.
"These things are not that hard to implement, but getting consenus is difficult," said Kirk Kness, assistant vice president of the application architecture group at T. Rowe Price Investment Services Inc., in Baltimore, and a Tivoli customer. "People dont really understand the true distributed model or why you need an identity engine or authorization engine. But everything hinges on authentication, customization and personalization. Everything has to work off the same identity or theres no way to manage it," he said.
T. Rowe Price, which has been using Tivolis Policy Director for four years, has more than 80 applications running on the software and sees upward of 45,000 logins each day. Also, all of the companys customers are in an LDAP (Lightweight Directory Access Protocol) database that is also secured by Policy Director.
All of this is transparent to the end user, which is as it should be, Kness said. The user shouldnt know the difference, he said. "Security should be about letting people in."
Identity Director extracts user data from a variety of applications, such as human resources applications and help desk software, and creates a user profile in an LDAP directory. Users can then access a Web-based interface through which they can perform a variety of tasks, including resetting their passwords.
The software is meant to provide administrators with a single point for managing user profiles and access levels, said Arvind Krishna, vice president of security products at Tivoli, in Austin, Texas. Combined with Policy Director, Krishna said he believes Identity Manager gives Tivoli a strong position in the authentication and authorization market.
"[Authentication, authorization and administration] has the best growth potential, and it will be our focus," he said. "Access management and identity management are the keys."
Identity Director also has an embedded provisioning engine, which automates the implementation of administrative requests, and role-based delegated administration, giving administrators the ability to parcel out some of their duties to department heads or regional managers.
Camelot, meanwhile, has added a host of features to Version 1.3 of its , which it will launch this week at the Computer Security Institute show in Washington.
Hark monitors users behaviors and maps their resource usage, giving administrators a real-time snapshot of their activities.
The system then generates security policies for each user, based on the levels they need to perform their jobs. In the same way, new permissions are granted when a users habits change, and old ones are deleted when theyre no longer needed.
"Most companies allow users to have far more access than they need," said Ofer Gandish, executive vice president of technology at Camelot, based in New York.